How to maintain the log source host using logstash

Question

I am following the steps in this blog to set up rsyslog + logstash + graylog2 and I can't figure out how to replace the @source_host attribute in logstash using the mutate -> replace filter.

In the exmaple the author replaces his @source_host with a string value but I'd like to use the actual value that is parsed from in this case a syslog.

mutate {
  type => loc1
  replace => ["@source_host", "loc1"]
}
mutate {
  type => loc2
 replace => ["@source_host", "loc2"]
}

How do I actually maintain the original source host in my logs?

Can you add the link to the blog? – Joel E Salas Apr 14 '12 at 00:30 — Joel E Salas, Apr 14 '12 at 00:30

score 1 · Answer 1 · answered May 14 '12 at 02:12

1

if the field has already been matched to the record, and is available then you might be able to do this;

mutate {
    type => loc2
    replace => [ "@source_host","%{this_field}" ]
}

(though I have not tried replacing out the @source_host field before, but give it a try and let us know how it went... ;-)

the blog?

answered May 14 '12 at 02:12

Tom

10,886
5
39
62

I had already tried your suggestion when I originally attempted to use logstash between rsyslog and graylog and had no luck. I've since moved to just sending logs directly to graylog2 from rsyslog and it's working fine. I might revisit this again some day if I need to do more granular filtering and formatting of my logs with logstash. – Ray Rodriguez May 22 '12 at 09:32

How to maintain the log source host using logstash

1 Answers1